North Carolina's Information Technology Consolidation Audit

Transcription

1 STATE OF NORTH CAROLINA PERFORMANCE AUDIT INFORMATION TECHNOLOGY CONSOLIDATION JANUARY 2013 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR

2 PERFORMANCE AUDIT INFORMATION TECHNOLOGY CONSOLIDATION JANUARY 2013

3 STATE OF NORTH CAROLINA Office of the State Auditor Beth A. Wood, CPA State Auditor 2 S. Salisbury Street Mail Service Center Raleigh, NC Telephone: (919) Fax: (919) Internet January 4, 2012 The Honorable Beverly E. Perdue, Governor Members of the North Carolina General Assembly Mr. Jonathan Womer, State Chief Information Officer Office of Information Technology Services Mr. Womer: We are pleased to submit this performance audit titled Information Technology Consolidation. The audit objective was to evaluate whether consolidation of information technology (IT) by the Office of Information Technology (ITS) pursuant to North Carolina Senate Bill 991 has achieved its intended objectives. Mr. Womer received a copy of this report. His written comments are included in the appendix. The Office of the State Auditor initiated this audit to help ensure the accuracy of agency bills for services provided by the Office of Information Technology Services. We wish to express our appreciation to the staff of the Office of Information Technology services for the courtesy, cooperation, and assistance provided us during the audit. Respectfully submitted, Beth A. Wood, CPA State Auditor

4 TABLE OF CONTENTS PAGE SUMMARY... 2 INTRODUCTION BACKGROUND... 4 OBJECTIVES, SCOPE, AND METHODOLOGY... 5 FINDINGS AND RECOMMENDATIONS... 6 APPENDIX AUDITOR S RESPONSE DEPARTMENT RESPONSE ORDERING INFORMATION... 16

5 PERFORMANCE AUDIT SUMMARY PURPOSE This audit report evaluated whether consolidation of information technology (IT) by the Office of Information Technology (ITS) pursuant to North Carolina Senate Bill 991 has achieved its intended objectives. This audit makes recommendations so the Governor, General Assembly and ITS can take appropriate corrective action. RESULTS ITS has not established performance measures to determine if the goals of IT consolidation have been achieved. Specifically, ITS has not established metrics to determine if consolidation of IT products and services has achieved the following three goals: 1. Strengthen state agency focus on its core mission 2. Improve IT service delivery 3. Reduce statewide IT costs First, ITS has not developed measures to determine whether IT consolidation has strengthened state agency focus on its core mission. By transferring responsibility for the maintenance and operation of IT infrastructure, consolidation is intended to enable agencies to respond more quickly to customer and citizen needs. Without associated performance measures, the impact of consolidation on the activities and services provided to the citizens of North Carolina cannot be determined. Second, ITS has not developed performance measures to determine whether consolidation has improved the delivery of IT services. Consolidation is intended to improve the quality of IT infrastructure, reduce overall risk of downtime, improve disaster recovery, and enhance business continuity planning. Without associated performance measures, the Governor and General Assembly cannot determine whether consolidation has achieved these improvements. Third, ITS has not established measures to evaluate if consolidation has reduced the cost of the products and services provided through information technology. While initial estimates produced by ITS were for overall service costs to be lower three years after implementation, ITS did not establish baseline cost data or create performance measures to determine if consolidation has produced these projected savings. In addition, performance measures can also provide valuable information when deciding whether consolidation should be expanded to other agencies or whether specific IT products and services should be outsourced to private vendors. 2

6 PERFORMANCE AUDIT RECOMMENDATIONS ITS should establish performance measures and targets to determine if the goals of IT consolidation have been achieved: strengthened state agency focus on its core mission, improved service delivery, and reduced cost at each consolidated state agency. The General Assembly should consider requiring executive branch agencies, where IT has not been consolidated with ITS, to implement performance measures as established by ITS. This performance information will assist the General Assembly in determining whether IT consolidation should be expanded to other executive branch agencies or whether specific IT products and services should be outsourced to private vendors. AGENCY S RESPONSE The Agency s response is included in the appendix. 3

7 PERFORMANCE AUDIT INTRODUCTION BACKGROUND To improve the efficiency and effectiveness of the state s information technology (IT) services, the North Carolina General Assembly directed the State Chief Information Officer (State CIO), in conjunction with the Office of State Budget and Management (OSBM) to develop a detailed plan for consolidating IT products and services. 1 State law gives the Office of Information Technology Services (ITS) the authority to establish and operate information resource centers and services to serve two or more departments on a cost-sharing basis if the State CIO, in consultation with OSBM, decides it would be more efficient and economical. 2 Consolidation centralizes information technology by utilizing a single provider to provide products and services to many agencies. The goal is to strike a balance between a centralized and decentralized IT organization. A centralized IT organization can serve to reduce overall costs, but risks being unresponsive and inflexible to agencies served. A decentralized organization allows agencies to customize information technology to meet their specific business requirements, but risks redundant systems among state agencies. ITS provides consolidated IT products and services to state agencies, local governments, and educational institutions across North Carolina. Currently, the IT infrastructure and associated business processes of 13 executive branch agencies and commissions have been fully consolidated. 3 In addition, the IT infrastructure of the other executive branch agencies has been partially consolidated. For example, human resource and payroll services provided through BEACON are utilized by all state agencies. Other IT functions, such as , help desk, and desktop computer purchasing and support have been consolidated for only some state agencies. 4,5 Consolidation was expected to achieve significant cost savings to the state. Based on projections developed by OSBM and ITS, consolidation of state agency IT products and services was expected to realize at least $3.2 million in savings by June 30, As specified in Senate Bill As specified in G.S Consolidation was implemented in two phases. Phase I fully consolidated agencies include: Office of Governor, Office of State Budget and Management (OSBM), Department of Administration (DOA), Office of State Personnel (OSP), and the Office of Lieutenant Governor. Phase II fully consolidated agencies include: Department of Commerce, Department of Cultural Resources (DCR), Department of Juvenile Justice and Delinquency Prevention (DJJDP), Office of State Controller (OSC), Alcoholic Beverage Control Commission (ABC), Commission of Banks (COB), Industrial Commission (NCIC) and the Office of Administrative Hearings (OAH). 4 Office of State Chief Information Officer, State Information Technology Consolidation Report March Service offerings are described in the ITS Service Catalog. 6 Based on estimates presented to affected state agencies by ITS and OSBM, costs to implement agency consolidation were estimated at $3.5M with resulting benefits estimated at $6.7M. Estimated costs and benefits 4

8 PERFORMANCE AUDIT OBJECTIVES, SCOPE, AND METHODOLOGY The audit objective was to determine whether consolidation of information technology (IT) by the Office of Information Technology (ITS) pursuant to North Carolina Senate Bill 991 has achieved its intended objectives. The Office of the State Auditor initiated this audit to improve the effectiveness of the state s IT services. The audit scope included an evaluation of the goals and objectives of the process to transfer and consolidate state agency owned IT assets and related services to the Office of Information Technology Services (ITS). We conducted the fieldwork from January 2012 to June To achieve the audit objective we reviewed state laws and interviewed ITS personnel. We reviewed North Carolina Accounting System (NCAS) IT expenditure and receipts data. We also reviewed other government IT consolidation projects. Because of the test nature and other inherent limitations of an audit, together with limitations of any system of internal and management controls, this audit would not necessarily disclose all performance weaknesses or lack of compliance. As a basis for evaluating internal control, we applied the internal control guidance contained in professional auditing standards. As discussed in the standards, internal control consists of five interrelated components, which are (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We conducted this audit under the authority vested in the State Auditor of North Carolina by North Carolina General Statute for Phase I of agency IT consolidation were presented in February 2006 and included projections for the period July 1, 2005 through June 30, Total estimated Phase I costs and benefits for this period totaled $603,527 and $1,240,750 respectively. Estimated costs and benefits for Phase II of agency IT consolidation were presented in February 2008 and included projections for the period July 1, 2006 through June 30, Total estimated Phase II costs and benefits for this period totaled $2,905,762 and $5,446,522 respectively. The estimated savings for Phase II incorporated estimated savings from accelerated server virtualization. 5

9 FINDINGS AND RECOMMENDATIONS PERFORMANCE MEASURES NOT ESTABLISHED FOR IT CONSOLIDATION The Office of Information Technology Services (ITS) has not established performance measures to determine if the goals of consolidation have been achieved. ITS has established three key performance goals for consolidation of information technology (IT) products and services: 1. Strengthen state agency focus on its core mission 2. Improve IT service delivery 3. Reduce statewide IT costs 7 Performance Measures Enable Evaluations of Goal Achievement To help ensure achievement of goals and objectives, The Government Accountability Office (GAO) recommends that government agencies establish and monitor performance measures. 8 The GAO also states that associated performance data should be used to continually compare actual results with associated goals. In addition, the Governor s Executive Order No. 3, issued in January 2009, requires performance measures. Executive Order No. 3 requires state agencies that operate under the Governor s authority to establish goals that are clear, concise, focused and defined by objectively measurable outcomes. The Executive Order also requires that the agencies measure progress toward achievement of their priorities. Without performance measures, the Governor, Legislators, and the citizens of North Carolina cannot evaluate the effectiveness of IT products and services. Specifically, performance measures that are clearly linked to goals and objectives can provide important information for evaluating the effectiveness of IT consolidation, and whether IT consolidation should be expanded to other executive branch agencies. In addition performance information can be used to evaluate whether specific products and services should be outsourced to private vendors. Strengthen State Agency Focus on Its Core Mission ITS has not developed measures to determine whether consolidation has strengthened state agency focus on its core mission. Consequently, the impact of IT consolidation to 7 OSBM, Information Technology Consolidation Report December In addition to the three identified performance goals, ITS also established another goal to upgrade the information technology infrastructure to a minimum standard. We did not include an evaluation of this goal in our audit because it does not directly correlate to performance outcomes. Upgrades to information technology serve to increase the capability of information technology resources. This increased capability can help improve service delivery by reducing the risk of equipment failure. In addition, upgrades to IT infrastructure may serve to reduce support costs by creating common equipment configurations. However achievement of the goal of upgrading information technology infrastructure to a minimum standard does not demonstrate achievement of either of these performance outcome goals. 8 GAO, GAO G Internal Control Management and Evaluation Tool, August

10 FINDINGS AND RECOMMENDATIONS state agency activities and services provided to the citizens of North Carolina cannot be determined. ITS states that the overarching principle of consolidation is that agencies should devote more of their efforts to information technology needs unique to their agencies, not basic infrastructure. 9 ITS further states that by transferring responsibility for the maintenance and operation of IT infrastructure, consolidation is intended to enable agencies to respond more quickly to customer and citizen needs. In addition, consolidation is intended to enable agencies to devote more attention to the development and support of state agency specific software application, project management, portfolio management and web site content and improvements. State law says the goal of consolidation is to better align people, hardware and functions so that state agencies focus on their core missions, and provide better services to the citizens of North Carolina as efficiently as possible. 10 Without performance measures, ITS cannot determine whether consolidation has improved the activities and services provided to the citizens of North Carolina. Improve IT Service Delivery ITS has not developed performance measures to determine if IT service delivery has improved. ITS stated that consolidation is intended to improve the quality of IT infrastructure and responses to associated incidents. 11 ITS currently has one performance measure which is provided to agencies and the Legislature. This measure is designed to measure the level of service provided to agencies by identifying the time to respond to and resolve incident service requests from agencies. 12 However, this measure does not link to the goals of consolidation. ITS stated that improvements in IT infrastructure and responses to incidents will serve to reduce the overall risk of downtime because of security breaches, hardware failure, network failure, vendor non-performance and facility issues such as power outages. In addition, OSBM stated that consolidation is intended to enable improved disaster recovery and business continuity planning. 13 Since the IT consolidation project began, ITS has implemented changes intended to improve IT security and availability. These changes include: Implementing encryption on personal computers Implementing anti-virus management Upgrading the Wide-Area-Network (WAN) bandwidth for three agencies 9 OSBM, Information Technology Systems: Consolidation and Management Since Senate Bill 991 January Senate Bill OSBM, Information Technology Consolidation Report December An incident is an event, which causes disruption to, or a reduction in the quality of services. 13 OSBM, Information Technology Systems: Consolidation and Management Since Senate Bill 991 January

11 FINDINGS AND RECOMMENDATIONS Implementing server encryption for two agencies Without performance measures that link to the goals of consolidation, ITS does not know whether these or future changes under consolidation have served to achieve the goals of consolidation. Reduce Statewide IT Costs ITS has not established measures to evaluate if consolidation has reduced the cost of IT products and services. While initial estimates produced by ITS were for overall service costs to be lower three years after implementation, ITS cannot demonstrate that consolidated services are being provided at a lower cost. ITS is currently unable to readily calculate the actual cost for each of the products and services provided to consolidated agencies because they have not developed a cost accounting system. In addition, ITS has not obtained cost data for each of these products and services incurred by agencies prior to consolidation. ITS asserts that this information would be difficult to obtain because of the lack of consistency in the way agencies account for specific IT products and service costs. Recommendations: ITS should establish performance measures and targets to determine whether consolidation has strengthened state agency focus on its core mission, improved service delivery, and reduced cost at each consolidated state agency. At a minimum, these measures should allow the Governor, General Assembly, and citizens of North Carolina to evaluate consolidated IT activities and services to determine the: Effectiveness of IT services in meeting end-user requirements Availability, security and ability to timely restore critical operations Unit and total cost of each consolidated product or service The General Assembly should consider requiring non-consolidated executive branch agencies to implement IT performance measures, as established by ITS. This performance information, along with other factors such as economic and budget considerations will assist the General Assembly in determining whether consolidation should be expanded to other executive branch agencies or whether specific IT products and services should be outsourced to private vendors. 8

12 [ This Page Left Blank Intentionally ] 9

13 APPENDIX Auditor s Response We are required to provide additional explanation when an agency s response could potentially cloud an issue, mislead the reader, or minimize the importance of our findings. Generally Accepted Government Auditing Standards state, When the audited entity s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditor s recommendations, the auditors should evaluate the validity of the audited entity s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. To ensure the availability of complete and accurate information and in accordance with Generally Accepted Government Auditing Standards, we offer the following clarifications: The ITS response states the audit implies that unit cost and performance information must exist before deciding whether consolidation should take place. This idea is contrary to best practice and severely misses the critical circumstances of the state s IT spending on multiple applications Our audit objective was to evaluate whether consolidation of information technology by ITS pursuant to North Carolina Senate Bill 991 has achieved its intended objectives. Our audit did not include an evaluation of the merits of IT consolidation. Our audit found that ITS did not collect the information needed to determine whether the objectives of IT consolidation have been achieved. Specifically, Senate Bill 991 authorizes ITS: To establish and operate information resource centers and services to serve two or more departments on a cost-sharing basis if (emphasis added) the State CIO, after consultation with the Office of State Budget and Management, decides it is advisable from the standpoint of efficiency and economy to establish these centers and services. ITS should have obtained and used evidence to help decide whether consolidation of IT centers and services is advisable from the standpoint of efficiency and economy. However, ITS was unable to provide any cost or performance information for any of the three reported consolidation goals. Also, ITS appears to have provided the Legislature with unsubstantiated estimates of cost savings from IT consolidation. ITS provided the Legislature with a cost savings estimate of $3.2 million. Yet, the ITS response states that information necessary to calculate these cost savings was not available because the agencies mostly did not measure IT infrastructure unit cost and performance. 10

14 Without cost and performance information, the Governor and Legislature do not have sufficient information to determine which IT infrastructure and applications should consolidate and when exceptions should apply because of special needs. The Governor, Legislators, and the citizens of North Carolina should consider the clarification provided above when evaluating the Office of Information Technology response to the audit findings. 11

15 APPENDIX State of North Carolina Office of Information Technology Services Beverly Eaves Perdue Jonathan Womer Governor State Chief Information Officer December 18, 2012 The Honorable Beth A. Wood, CPA State Auditor Office of the State Auditor 2 South Salisbury Street Mail Service Center Raleigh, North Carolina Dear Ms. Wood: We have reviewed the October 2012 confidential draft of the performance audit of information technology infrastructure consolidation. ITS agrees that establishing more extensive performance measures for the future would allow better decision making regarding the costs and benefits of future infrastructure consolidation. ITS has already begun working to develop or enhance metrics around the consolidation program and general ITS services. However, the audit implies that unit cost and performance information must exist before deciding whether consolidation should take place. This idea is contrary to best practice and severely misses the critical circumstances of the state s IT spending on multiple applications. North Carolina state government desperately needs dramatic consolidation of IT infrastructure and applications in order to save money, improve services, and protect our critical data. Agency operating budgets are projected to be flat or declining for the foreseeable future. At the same time agencies separately operate: 12 case management systems 14 grant management systems 17 document management systems 36 licensing and permitting systems The list of redundant applications goes on and on. In addition, agencies operate multiple systems, networks, telephone systems, data centers, and other redundant infrastructures. Individually these systems are falling further and further behind the state of the art because individual agencies do not have the resources to keep up. Only together can we build modern systems that then can serve all of the agency needs. Build once; use many is the most important metric for consolidation. P.O. Box 17209, Raleigh, NC Mail Service Center, Raleigh NC Telephone: An Equal Opportunity/Affirmative Action Employer 12

16 ITS response to consolidation audit Page 2 Since arriving at ITS this past February I have worked to prepare ITS for dramatic consolidation. We have just posted in the NC Register new procurement rules to give the state more power to more easily negotiate the best deals for the state. We are implementing a new statewide IT project tracking and approval system to provide the needed detail to allow comparison of redundant IT systems. In addition, we are merging the project oversight with our procurement oversight so we can enforce consolidation and ensure new systems are structured for multiple agencies. These changes should be implemented by the 2 nd quarter of ITS has started a new internal financial system that will allow visibility into ITS unit cost and industry benchmarks, such as those provided in Gartner Research, or price lists published by commercial vendors for comparable services, which we already use. These changes will provide an easier transition for agencies to use ITS consolidated services. The new financial system should be in use by the end of the 1 st quarter of 2013 with the unit costing functionality fully implemented by the end of 2 nd quarter. When we establish our new financial system we will look into the feasibility of letting other agencies use the system as well for their internal measurement of IT service cost and performance. Performance measures are important, and we are making other improvements in this area as well. For the future, ITS is finalizing an updated (Service Level Agreement) SLA. Our goal is to provide this draft to our customers by end of the calendar year for their review and feedback. We plan to have the new SLA, which will be tracked and measured on a monthly basis within our scorecards, in place by end of 1 st quarter The global SLA will span all ITS services. We will also have individual SLAs specific to each ITS services. This will address key performance metrics ITS is measuring such as 1) effectiveness of IT services in meeting end-user requirements and 2) availability, security and ability to timely restore critical operations. The audit finds that performance measures should be established to validate that the goals of consolidation have been achieved. This requires unit cost and performance information from the consolidated agencies, but such does not exist. In 2005, the Office of State Budget and Management conducted a cost-benefit analysis of consolidating the IT infrastructure of many small agencies into services run by ITS. Unfortunately, the agencies mostly did not measure IT infrastructure unit cost and performance. Estimates had to be made based on best available information. Analyses clearly identified the lack of an industry standard infrastructure that increased the risk of failures and breaches of security. In addition, there was clear redundancy among the infrastructures maintained by the agencies and ITS. This was, and continues to be, enough information to support IT consolidation. If severe redundancy exists, consolidations should take place. We acknowledge that more needs to be done, especially for the future, and will aggressively pursue more extensive performance and cost comparisons. Similar measures could be adopted by nonconsolidated agencies, as you suggest, when considering future consolidation. As you noted, this would require work with other oversight entities. ITS alone does not have the authority to require such measures of agencies, especially in the area of unit cost measurement. In addition, as noted earlier, establishing measures today will not allow the state to look back into the past to see if the goals of consolidation were achieved. And while performance-based measures should be strongly considered in determining whether consolidation should take place, or whether it can be deemed a success, it should not be the sole criteria. The economies of scale in IT are obvious. We do not need multiple redundant applications and infrastructures Thank you again for the opportunity to respond to the audit. ITS looks forward to working with the Office of State Auditor or any others to improve the efficiency and effectiveness of information 13

17 ITS response to consolidation audit Page 3 technology in delivering services to the state s citizens. If your office has any specific suggestions for performance measures we would be happy to discuss them at any time. Sincerely, Jonathan Womer 14

18 [ This Page Left Blank Intentionally ] 15

19 ORDERING INFORMATION Audit reports issued by the Office of the State Auditor can be obtained from the web site at Also, parties may register on the web site to receive automatic notification whenever reports of interest are issued. Otherwise, copies of audit reports may be obtained by contacting the: Office of the State Auditor State of North Carolina 2 South Salisbury Street Mail Service Center Raleigh, North Carolina Telephone: 919/ Facsimile: 919/ This audit required 1,634 audit hours at an approximate cost of $121,714. The cost represents.064% of the $190 million in total expenditures subjected to audit. 16